Saturday, February 14, 2009

Where is the Motivation for Deprovisioning?

A series of blog posts on self-service deprovisioning in the federation world got me thinking about a simpler, albeit very real, problem with the "traditional" deprovisioning process in a company.

Most companies that have an IdM system have 2 ways to deprovision users:
  1. Emergency Termination Workflow (where a manager logs on to the deprovisioning workflow, and kicks off the termination process that disables accounts across the board)
  2. Automated Terminations (where the IdM system keys off of HR or Payroll or some authoritative store that provides the user's status and termination date which in turn automatically disables accounts)
The problem I've seen most companies face is with the second workflow because data is entered in late. So why not put a workflow together for self-service deprovisioning?

The only problem with this approach is the lack of motivation for an end-user to run through the workflow. Perhaps there is an approach to tie the completion of this workflow to some interest for the end user that will motivate him/her to run through it. Some ideas...

  • Severence Pay
  • COBRA Enrollment
  • Continued Communications (to enter in personal e-mail address?)
  • An iPhone? (seems to work for other things)

I bet that this approach would solve some of the data-timeliness issues. What do you think?


Byron Arnao said...

perhaps one could take this concept further and have users certify information semi-annually (emails/phones etc). This can be as simple as click links in emails (if your receive) and text confirmation codes on cells and perhaps a voice verification for non-cell phones).

I like the the thought of motivating the users into keeping the information up to date and/or removing themselves.

Perhaps one could create an identity score associated with the identity that could be based on a metric of # of verified contacts in a sliding window.

so in this model users would with identity score of 8 (better than 2) would not be targeted for identity refresh (some manual process ?) whereas a 2 score would be targeted (sent emails,called etc)and ultimately removed.

one could set some type of business rules that if account was in some 2 status and could not be verfied in X period some account privileges could be removed/disabled....

hmmm ....the mind reels at the possibilities...

wow power leveling said...

cheap wow power leveling buy wow gold cheapest wow power leveling CHEAP wow gold BUY power leveling CHEAPEST wow powerleveling
wow goldwow goldwow goldwow goldweiwei